ci: add snyk for container image

adding a github action to do security scanning for the cephcsi docker image Signed-off-by: Madhu Rajanna <[email protected]>
ceph · Nov 16, 2023 · fef8700 · fef8700
1 parent 6b3665b
commit fef8700
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/.github/workflows/snyk-container-image.yaml b/.github/workflows/snyk-container-image.yaml
@@ -0,0 +1,34 @@
+---
+# A sample workflow which checks out the code, builds a container
+# image using Docker and scans that image for vulnerabilities using
+# Snyk. The results are then uploaded to GitHub Security Code Scanning
+#
+# For more examples, including how to limit scans to only high-severity
+# issues, monitor images for newly disclosed vulnerabilities in Snyk and
+# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/
+name: Snyk Container
+# yamllint disable-line rule:truthy
+on:
+  pull_request_target:
+    types:
+      - opened
+    branches:
+      - 'devel'
+permissions:
+  contents: read
+
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Build a Docker image
+      run: make containerized-build
+    - name: Run Snyk to check Docker image for vulnerabilities
+      continue-on-error: true
+      uses: snyk/actions/docker@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: quay.io/cephcsi/cephcsi:${GITHUB_REF##*/}
+        args: --file=Dockerfile